[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lynx-dev Lynx CRLF Injection (fwd)
From: |
pg |
Subject: |
Re: lynx-dev Lynx CRLF Injection (fwd) |
Date: |
Tue, 20 Aug 2002 06:41:39 -0600 (MDT) |
In a recent note, Ulf H{rnhammar said:
> Date: Tue, 20 Aug 2002 08:48:43 +0200
>
> On Mon, Aug 19, 2002 at 07:27:41PM -0700, Bela Lubkin wrote:
> > If there's no user exposure, I don't see why this is any sort of
> > security alert at all. If it causes a security problem for servers,
> > those servers are still at risk -- people just have to use
> > _any other program that does socket I/O_ (including an unpatched Lynx)
> > to attack those servers.
>
I agree with Bela that security of a server should be the responsibility
of the server. Any attempt to enforce server security by restrictions
on clients ultimately restricts my freedom to program my own computer,
to which I have strong philosophical objections.
> Read the second paragraph of Technical Details again. It allows people to
> break out of restrictions, which is what security holes are all about.
>
But Ulf appears to be concerned that this hole may thwart administrators'
intent to restrict users to a captive environment, which is a legitimate
concern.
> telnet and netcat don't handle URL's. Lynx does.
>
Nonsense. Telnet handles any stream of characters the user cares to type,
including the path part of a URL. I've readily used telnet to access
WWW servers. This can be as simple as:
telnet www 80
GET /
(I just tried it; it returned the HTML source of the home page of our server.)
-- gil
--
StorageTek
INFORMATION made POWERFUL
; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden